A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.

"They're poisoning trusted mechanisms," says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."
Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
In at least two cases—one in which it hijacked software updates from computer maker Asus and another in which it tainted a version of the PC cleanup tool CCleaner—software corrupted by the group has ended up on hundreds of thousands of unwitting users' computers. In those cases and others, the hackers could easily have unleashed unprecedented mayhem, says Silas Cutler, a researcher at Alphabet-owned security startup Chronicle who has tracked the Barium hackers. He compares the potential of those cases to the software supply chain attack that was used to launch the NotPetya cyberattack in 2017; in that case, a Russian hacker group hijacked updates for a piece of Ukrainian accounting software to seed out a destructive worm and caused a record-breaking $10 billion in damage to companies around the world.
"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," Cutler says.
So far, the group seems focused on spying rather than destruction. But its repeated supply chain hijackings have a subtler deleterious influence, says Kaspersky's Kamluk. "When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system," he says. "This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

Monitoring Clues Upstream
Kaspersky first noticed the Barium hackers’ provide chain assaults in motion in July of 2017, when Kamluk says a associate group requested its researchers to assist unravel unusual exercise on its community. Some type of malware that didn’t set off antivirus alerts was beaconing out to a distant server and hiding its communications within the Area Identify System protocol. When Kaspersky investigated, it discovered that the supply of that communications was a backdoored model of NetSarang, a well-liked enterprise distant administration software distributed by a Korean agency.
Extra puzzling was that the malicious model of NetSarang’s product bore the corporate’s digital signature, its nearly unforgeable stamp of approval. Kaspersky ultimately decided, and NetSarang confirmed, that the attackers had breached NetSarang’s community and planted their malicious code in its product earlier than the applying was cryptographically signed, like slipping cyanide right into a jar of capsules earlier than the tamper-proof seal is utilized.

Two months later, antivirus agency Avast revealed that its subsidiary Piriform had equally been breached, and that Piriform’s pc cleanup software CCleaner had been backdoored in another, far more mass-scale supply chain attack that compromised 700,000 machines. Regardless of layers of obfuscation, Kaspersky discovered that the code of that backdoor carefully matched the one used within the NetSarang case.
Then in January of 2019, Kaspersky discovered that Taiwanese pc maker Asus had pushed out a similarly backdoored software update to 600,000 of its machines going again at the very least 5 months. Although the code regarded totally different on this case, it used a novel hashing perform that it shared with the CCleaner assault, and the malicious code had been injected into an analogous place within the software program’s runtime features. “There are infinite methods to compromise binary, however they stick to this one methodology,” says Kamluk.

When Kaspersky scanned its clients’ machines for code just like the Asus assault, it discovered the code matched with backdoored versions of video games distributed by three different companies, which had already been detected by security firm ESET: A knockoff zombie sport paradoxically named Infestation, a Korean-made shooter referred to as Level Clean, and a 3rd Kaspersky and ESET decline to call. All indicators level to the 4 distinct rounds of provide chain assaults being tied to the identical hackers.
“By way of scale, that is now the group that’s most proficient in provide chain assaults,” says Marc-Etienne Léveillé, a safety researcher with ESET. “We’ve by no means seen something like this earlier than. It’s scary, as a result of they’ve management over a really giant variety of machines.”

I wouldn't trust anything coming from Kaspersky Labs. They're a bunch of Rooskeys..and are constantly hacked.

Israel hacked Kaspersky, then tipped the NSA that its tools had been breached
In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm: hacking tools that could only have come from the National Security Agency.
Israel notified the NSA, where alarmed officials immediately began a hunt for the breach, according to people familiar with the matter, who said an investigation by the agency revealed that the tools were in the possession of the Russian government.
Israeli spies had found the hacking material on the network of Kaspersky Lab, the global anti-virus firm under a spotlight in the United States because of suspicions that its products facilitate Russian espionage.
Last month, the Department of Homeland Security instructed federal civilian agencies to identify Kaspersky Lab software on their networks and remove it on the grounds that "the risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." The directive followed a decision by the General Services Administration to remove Kaspersky from its list of approved vendors. And lawmakers on Capitol Hill are considering a governmentwide ban.
Morehttps://www.washingtonpost.com/world/nat...80291fecdf

Who's Afraid of Kaspersky?

We went to Kaspersky Lab's SAS conference, where the controversial Russian anti-virus firm showcases its best research, wines and dines competitors and journalists, and burns American espionage operations.

Snip
Kaspersky Lab has been mired in an ongoing crisis. First, on the heels of the congressional inquiry into Russian meddling in the 2016 American presidential elections, the US government proposed and eventually passed a federal ban and purge on the use of Kaspersky Lab software across all government agencies. The British and Dutch governments has since followed suit.
The government bans have also spilled over to the private sector. Best Buy stopped sales of the software, some of Kaspersky Lab’s financial customers dropped it, and more recently, Twitter banned the company from advertising on its platform.
Meanwhile, several news stories alleged that the company’s software helped Russian intelligence services steal highly classified documents from a US National Security Agency contractor. The company’s most recent move to show it’s independent from the Russian government has been to announce a new data center in Switzerland that will store information from customers in US, Europe, Japan, Korea, Singapore and Australia.

Israel hacked Kaspersky, then tipped the NSA that its tools had been breached
In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm: hacking tools that could only have come from the National Security Agency.
Israel notified the NSA, where alarmed officials immediately began a hunt for the breach, according to people familiar with the matter, who said an investigation by the agency revealed that the tools were in the possession of the Russian government.
Israeli spies had found the hacking material on the network of Kaspersky Lab, the global anti-virus firm under a spotlight in the United States because of suspicions that its products facilitate Russian espionage.
Last month, the Department of Homeland Security instructed federal civilian agencies to identify Kaspersky Lab software on their networks and remove it on the grounds that "the risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." The directive followed a decision by the General Services Administration to remove Kaspersky from its list of approved vendors. And lawmakers on Capitol Hill are considering a governmentwide ban.
Morehttps://www.washingtonpost.com/world/nat...80291fecdf

Who's Afraid of Kaspersky?

We went to Kaspersky Lab's SAS conference, where the controversial Russian anti-virus firm showcases its best research, wines and dines competitors and journalists, and burns American espionage operations.

Snip
Kaspersky Lab has been mired in an ongoing crisis. First, on the heels of the congressional inquiry into Russian meddling in the 2016 American presidential elections, the US government proposed and eventually passed a federal ban and purge on the use of Kaspersky Lab software across all government agencies. The British and Dutch governments has since followed suit.
The government bans have also spilled over to the private sector. Best Buy stopped sales of the software, some of Kaspersky Lab’s financial customers dropped it, and more recently, Twitter banned the company from advertising on its platform.
Meanwhile, several news stories alleged that the company’s software helped Russian intelligence services steal highly classified documents from a US National Security Agency contractor. The company’s most recent move to show it’s independent from the Russian government has been to announce a new data center in Switzerland that will store information from customers in US, Europe, Japan, Korea, Singapore and Australia.